Malicious PDF — malware analysis report

Static analysis result for SHA-256 502c83f9757af3f9…

MALICIOUS

PDF

51.9 KB Created: 2020-07-24 11:13:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bcbe322a5fa673d431bec255dd2432f7 SHA-1: 7d28283a09b5ab23529eb503ad184ba92d828fe1 SHA-256: 502c83f9757af3f9c269670d61c7fbf44645ca97eca06a0209db692d13099c5d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged for containing a malicious redirector link and a large number of external PDF links, suggesting an attempt to manipulate search engine results or distribute further malicious content. The ML classifier also strongly indicated maliciousness. The primary malicious IOC is the redirector URL, which likely leads to a malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=common+medical+terms+list+pdf
    • http://files.saintjosephsculturalcenter.org/uploads/1/3/1/3/131384113/kugon_pisetisaxazibum_vavete_kujop.pdf
    • http://files.whatnotservices.com/uploads/1/3/1/4/131406537/jogizogofiligofubobo.pdf
    • http://files.schoolsprouts.org/uploads/1/3/2/7/132712530/penubelukosogek_vojopuz.pdf
    • http://files.iskphilippines.net/uploads/1/3/1/8/131871772/duxosew.pdf
    • http://files.saintj
    • https://cdn.shopify.com/s/files/1/0427/7387/2807/files/24173762836.pdf
    • https://cdn.shopify.com/s/files/1/0431/8032/7070/files/wonopanajaxedanakuteti.pdf
    • https://cdn.shopify.com/s/files/1/0429/9715/3943/files/rowilinuwefawixejupetu.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/57355052908.pdf
    • https://cdn.shopify.com/s/files/1/0432/2312/2077/files/jixunitibofo.pdf
    • https://cdn.shopify.com/s/files/1/0431/0938/4343/files/83296759418.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/70277109097.pdf
    • https://cdn.shopify.com/s/files/1/0431/3235/4727/files/fipebizipig.pdf
    • https://cdn.shopify.com/s/files/1/0430/4617/4877/files/zalabik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000834f.bin
af82b6682dc5e9b0bccb621a95b547ad30f1635c5064213d08c66b41c09c95fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x834F 5112 bytes
font_01_sfnt_off00009492.bin
16f4160d57fed503545827d55698f7db29bb95910c6d51c68aa63eeec0faa480		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9492 15000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.